split admins

split admins

[Tom]

Policy Question:

I've tried setting up a seperate "security admin" role, as a 1st step
towards a split admin concept. Idea being that sysadm_r can not change the
SELinux policy (obviously I'll have to think about "circumvention" ways
like access to lilo, raw devices, etc. later), but a new role,
secadm_r, has control over these areas.

one problem I encountered was that newrole -r secadm_r didn't work,
kicking me out with:
arkham:~# newrole -r secadm_r
Couldn't get default type.

So where do I set this default type? I didn't find anything obvious,
and actually, I believed that my modification of domains/admin.te,
which included role secadm_r type secadm_t would've taken care of that.


If anyone's done something like this (splitting root into several
segments) before, any hints would be appreciated.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/D88D35A6 2001-11-14 Tom Vogt <tom@lemuria.org>
     Key fingerprint = 276B B7BB E4D8 FCCE DB8F  F965 310B 811A D88D 35A6

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: split admins

[Stephen Smalley]

On Wed, 24 Apr 2002, Tom wrote:

> I've tried setting up a seperate "security admin" role, as a 1st step
> towards a split admin concept. Idea being that sysadm_r can not change the
> SELinux policy (obviously I'll have to think about "circumvention" ways
> like access to lilo, raw devices, etc. later), but a new role,
> secadm_r, has control over these areas.

When the example policy was originally being developed, there was an
initial attempt to provide such a distinction between a system
administrator and a security administrator, but the separate role was
discarded because it turns out to be very difficult to truly enforce a
separation between these two roles without severely limiting the system
administrator role, making it relatively useless.  The topic has also come
up previously on the list, e.g. see
http://marc.theaimsgroup.com/?l=selinux&m=100799744813965&w=2.

> one problem I encountered was that newrole -r secadm_r didn't work,
> kicking me out with:
> arkham:~# newrole -r secadm_r
> Couldn't get default type.
>
> So where do I set this default type? I didn't find anything obvious,
> and actually, I believed that my modification of domains/admin.te,
> which included role secadm_r type secadm_t would've taken care of that.

This is another one of those annoying application configuration files,
/etc/security/default_type.  Might be obsoleted in the future.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com





--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: split admins

[Tom]

On Wed, Apr 24, 2002 at 09:59:37AM -0400, Stephen Smalley wrote:
> When the example policy was originally being developed, there was an
> initial attempt to provide such a distinction between a system
> administrator and a security administrator, but the separate role was
> discarded because it turns out to be very difficult to truly enforce a
> separation between these two roles without severely limiting the system
> administrator role, making it relatively useless.  The topic has also come
> up previously on the list, e.g. see
> http://marc.theaimsgroup.com/?l=selinux&m=100799744813965&w=2.

I'll check that discussion and give it a go. I'm happy with not doing
away root=god. I'm more interested in having, say, an application-level
admin (control over the daemons, network services, whatever). Just
thought a security admin would be a useful thing to start this with.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/D88D35A6 2001-11-14 Tom Vogt <tom@lemuria.org>
     Key fingerprint = 276B B7BB E4D8 FCCE DB8F  F965 310B 811A D88D 35A6

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: split admins

[Stephen Smalley]

On Wed, 24 Apr 2002, Tom wrote:

> one problem I encountered was that newrole -r secadm_r didn't work,
> kicking me out with:
> arkham:~# newrole -r secadm_r
> Couldn't get default type.

By the way, if you specify a type explicitly to newrole (via the -t
option), it won't bother with /etc/security/default_type.  Naturally,
if the type isn't authorized for the role, it will fail.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.